Server must send with at least one challenge in the form of a WWW-Authenticate header field according to Section 4.1

Client may send a second request with same credentials and then if the challenge is identical to the one before, an entity will be provided by the server to help the client find what credentials are needed.

If you're seeing a 403 error without Cloudflare branding, this is always returned directly from the origin web server, not Cloudflare, and is generally related to permission rules on your server.

The top reasons for this error are:1. Permission rules you have set or an error in the .htaccess rules you have set2. Mod_security rules.3. IP Deny rules

Since Cloudflare can not access your server directly, please contact your hosting provider for assistance with resolving 403 errors and fixing rules. You should make sure that Cloudflare's IPs aren't being blocked.

Cloudflare will serve 403 responses if the request violated either a default WAF rule enabled for all orange-clouded Cloudflare domains or a WAF rule enabled for that particular zone. Read more at What does the Web Application Firewall do? Cloudflare will also serve a 403 Forbidden response for SSL connections to sub/domains that aren't covered by any Cloudflare or uploaded SSL certificate.

If you're seeing a 403 response that contains Cloudflare branding in the response body, this is the HTTP response code returned along with many of our security features:

Web Application Firewall challenge and block pages

Basic Protection level challenges

Most 1xxx Cloudflare error codes

The Browser Integrity Check

If you're attempting to access a second level of subdomains (eg-*.*.example.com) through Cloudflare using the Cloudflare-issued certificate, a HTTP 403 error will be seen in the browser as these host names are not present on the certificate.

If you have questions contact Cloudflare Support and include a screenshot of the message you see or copy all the text on the page into a support ticket.

Origin server was unable or unwilling to find the resource requested. This usually means the host server could not find the resource. To serve a more permanent version of this error one should use a 410 error code.

These errors typically occur when someone mistypes a URL on your site, when there’s a broken link from another page, when a page that previously existed is moved or removed, or there is an error when a search engine indexes your site. For a typical site, these errors account for c. 3% of the total page views, but they’re often untracked by traditional analytics platforms like Google Analytics.

Cloudflare does not generate 404s for customer websites, we only proxy the request on from the origin server. When seeing a 404 for your Cloudflare powered site you should contact your hosting provider for help.

Server denies the request because the resource failed to meet the conditions specified by the client.

For example of version control, a client is modifying an existing resource and thus sets the If-Unmodified-Since header to match the date that the client downloaded the resource and began edits. If the resource was edited (likely by another client) after this date and before the upload of the edits, this response will be generated since the date of the last edit will come after the date set in If-Unmodified-Since by the client.

Cloudflare will serve this response. For more information see: ETag Headers

Refusal from the server that the URI was too long to be processed. For example, if a client is attempting a GET request with an unusually long URI after a POST, this could be seen as a security risk and a 414 gets generated.

Refusal from the server to process the format of the current payload. One way to identify and fix this issue would be to look at the Content-Type or Content-Encoding headers sent in the client’s request.

Client has sent too many requests in the specified amount of time according to the server. Often known as "rate-limiting". Server may respond with information allowing the requester to retry after a specific period of time.

Cloudflare will generate and send this status code when a request is being rate limited. If visitors to your site are receiving these error codes, you will be able to see this in the Rate Limiting Analytics.